Add ACL checks into the network driver

Insert calls to the ACL checking APIs in all network driver entrypoints. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-04-23 11:56:22 +01:00 · 2013-04-23 11:56:22 +01:00 · 453da48b12
commit 453da48b12
parent c930410beb
2 changed files with 66 additions and 2 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -1227,8 +1227,11 @@ noinst_LTLIBRARIES += libvirt_driver_network.la
 endif
 libvirt_driver_network_impl_la_CFLAGS = \
-		$(LIBNL_CFLAGS) $(DBUS_CFLAGS) \
+		$(LIBNL_CFLAGS) \
-		-I$(top_srcdir)/src/conf $(AM_CFLAGS) $(DBUS_CFLAGS)
+		$(DBUS_CFLAGS) \
 		-I$(top_srcdir)/src/access \
 		-I$(top_srcdir)/src/conf \
 		$(AM_CFLAGS)
 libvirt_driver_network_impl_la_SOURCES = $(NETWORK_DRIVER_SOURCES)
 endif
 EXTRA_DIST += network/default.xml
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@ -65,6 +65,7 @@
 #include "virdbus.h"
 #include "virfile.h"
 #include "virstring.h"
 #include "viraccessapicheck.h"
 #define VIR_FROM_THIS VIR_FROM_NETWORK
@ -2834,6 +2835,9 @@ static virNetworkPtr networkLookupByUUID(virConnectPtr conn,
        goto cleanup;
    }
    if (virNetworkLookupByUUIDEnsureACL(conn, network->def) < 0)
        goto cleanup;
    ret = virGetNetwork(conn, network->def->name, network->def->uuid);
 cleanup:
@ -2857,6 +2861,9 @@ static virNetworkPtr networkLookupByName(virConnectPtr conn,
        goto cleanup;
    }
    if (virNetworkLookupByNameEnsureACL(conn, network->def) < 0)
        goto cleanup;
    ret = virGetNetwork(conn, network->def->name, network->def->uuid);
 cleanup:
@ -2887,6 +2894,9 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) {
    int nactive = 0, i;
    struct network_driver *driver = conn->networkPrivateData;
    if (virConnectNumOfNetworksEnsureACL(conn) < 0)
        return -1;
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count; i++) {
        virNetworkObjLock(driver->networks.objs[i]);
@ -2903,6 +2913,9 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in
    struct network_driver *driver = conn->networkPrivateData;
    int got = 0, i;
    if (virConnectListNetworksEnsureACL(conn) < 0)
        return -1;
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count && got < nnames; i++) {
        virNetworkObjLock(driver->networks.objs[i]);
@ -2930,6 +2943,9 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) {
    int ninactive = 0, i;
    struct network_driver *driver = conn->networkPrivateData;
    if (virConnectNumOfDefinedNetworksEnsureACL(conn) < 0)
        return -1;
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count; i++) {
        virNetworkObjLock(driver->networks.objs[i]);
@ -2946,6 +2962,9 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na
    struct network_driver *driver = conn->networkPrivateData;
    int got = 0, i;
    if (virConnectListDefinedNetworksEnsureACL(conn) < 0)
        return -1;
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count && got < nnames; i++) {
        virNetworkObjLock(driver->networks.objs[i]);
@ -2978,10 +2997,14 @@ networkConnectListAllNetworks(virConnectPtr conn,
    virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
    if (virConnectListAllNetworksEnsureACL(conn) < 0)
        goto cleanup;
    networkDriverLock(driver);
    ret = virNetworkList(conn, driver->networks, nets, flags);
    networkDriverUnlock(driver);
 cleanup:
    return ret;
 }
@ -2998,6 +3021,10 @@ static int networkIsActive(virNetworkPtr net)
        virReportError(VIR_ERR_NO_NETWORK, NULL);
        goto cleanup;
    }
    if (virNetworkIsActiveEnsureACL(net->conn, obj->def) < 0)
        goto cleanup;
    ret = virNetworkObjIsActive(obj);
 cleanup:
@ -3019,6 +3046,10 @@ static int networkIsPersistent(virNetworkPtr net)
        virReportError(VIR_ERR_NO_NETWORK, NULL);
        goto cleanup;
    }
    if (virNetworkIsPersistentEnsureACL(net->conn, obj->def) < 0)
        goto cleanup;
    ret = obj->persistent;
 cleanup:
@ -3186,6 +3217,9 @@ static virNetworkPtr networkCreateXML(virConnectPtr conn, const char *xml) {
    if (!(def = virNetworkDefParseString(xml)))
        goto cleanup;
    if (virNetworkCreateXMLEnsureACL(conn, def) < 0)
        goto cleanup;
    if (networkValidate(driver, def, true) < 0)
       goto cleanup;
@ -3226,6 +3260,9 @@ static virNetworkPtr networkDefineXML(virConnectPtr conn, const char *xml) {
    if (!(def = virNetworkDefParseString(xml)))
        goto cleanup;
    if (virNetworkDefineXMLEnsureACL(conn, def) < 0)
        goto cleanup;
    if (networkValidate(driver, def, false) < 0)
       goto cleanup;
@ -3284,6 +3321,9 @@ networkUndefine(virNetworkPtr net) {
        goto cleanup;
    }
    if (virNetworkUndefineEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    if (virNetworkObjIsActive(network))
        active = true;
@ -3344,6 +3384,9 @@ networkUpdate(virNetworkPtr net,
        goto cleanup;
    }
    if (virNetworkUpdateEnsureACL(net->conn, network->def, flags) < 0)
        goto cleanup;
    /* see if we are listening for dhcp pre-modification */
    for (ii = 0;
         (ipdef = virNetworkDefGetIpByIndex(network->def, AF_INET, ii));
@ -3479,6 +3522,9 @@ static int networkCreate(virNetworkPtr net) {
        goto cleanup;
    }
    if (virNetworkCreateEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    ret = networkStartNetwork(driver, network);
 cleanup:
@ -3502,6 +3548,9 @@ static int networkDestroy(virNetworkPtr net) {
        goto cleanup;
    }
    if (virNetworkDestroyEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    if (!virNetworkObjIsActive(network)) {
        virReportError(VIR_ERR_OPERATION_INVALID,
                       "%s", _("network is not active"));
@ -3547,6 +3596,9 @@ static char *networkGetXMLDesc(virNetworkPtr net,
        goto cleanup;
    }
    if (virNetworkGetXMLDescEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    if ((flags & VIR_NETWORK_XML_INACTIVE) && network->newDef)
        def = network->newDef;
    else
@ -3575,6 +3627,9 @@ static char *networkGetBridgeName(virNetworkPtr net) {
        goto cleanup;
    }
    if (virNetworkGetBridgeNameEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    if (!(network->def->bridge)) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("network '%s' does not have a bridge name."),
@ -3605,6 +3660,9 @@ static int networkGetAutostart(virNetworkPtr net,
        goto cleanup;
    }
    if (virNetworkGetAutostartEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    *autostart = network->autostart;
    ret = 0;
@ -3630,6 +3688,9 @@ static int networkSetAutostart(virNetworkPtr net,
        goto cleanup;
    }
    if (virNetworkSetAutostartEnsureACL(net->conn, network->def) < 0)
        goto cleanup;
    if (!network->persistent) {
        virReportError(VIR_ERR_OPERATION_INVALID,
                       "%s", _("cannot set autostart for transient network"));